Upstream has issued an advisory on July 8: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ The issues are fixed upstream in 1.8.3 and 1.4.21. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Note that CVE-2015-5145 only affects version 1.8.2 in Mageia 5 and Cauldron. Debian and Ubuntu have issued advisories for this today (July 9): https://www.debian.org/security/2015/dsa-3305 http://www.ubuntu.com/usn/usn-2671-1/
URL: (none) => http://lwn.net/Vulnerabilities/650632/
Mageia 5 : Update packages : python-django-doc-1.8.3-1.mga5.noarch.rpm python-django-1.8.3-1.mga5.noarch.rpm python3-django-1.8.3-1.mga5.noarch.rpm python-django-bash-completion-1.8.3-1.mga5.noarch.rpm From : python-django-1.8.3-1.mga5.src.rpm Mageia 4 : Update packages : python-django14-1.4.21-1.mga4.noarch.rpm From : python-django14-1.4.21-1.mga4.src.rpm
Did we decide to drop support for Django 1.5 in Mageia 4? I vaguely think I remember we did, which is fine, we'd just need to say something in the advisory since we hadn't yet.
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=13251#c6 Advisory: ======================== Updated python-django and python-django14 packages fix security vulnerabilities: Eric Peterson and Lin Hua Cheng discovered that a new empty record used to be created in the session storage every time a session was accessed and an unknown session key was provided in the request cookie. This could allow remote attackers to saturate the session store or cause other users' session records to be evicted (CVE-2015-5143). Sjoerd Job Postmus discovered that some built-in validators did not properly reject newlines in input values. This could allow remote attackers to inject headers in emails and HTTP responses (CVE-2015-5144). django.core.validators.URLValidator included a regular expression that was extremely slow to evaluate against certain inputs. This regular expression has been simplified and optimized (CVE-2015-5145). The Mageia 4 python-django14 and Mageia 5 python-django packages have been updated to versions 1.4.21 and 1.8.3 respectively to fix these issues. Note that the CVE-2015-5145 issue only affected python-django. Note: the python-django package in Mageia 4, based on Django 1.5.9, is no longer supported. Users of this package are advised to migrate to Mageia 5. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5145 https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ https://www.debian.org/security/2015/dsa-3305
CC: (none) => makowski.mageiaAssignee: makowski.mageia => qa-bugsWhiteboard: MGA4TOO => MGA4TOO has_procedure
Testing MGA4 x64 Followed the excellent instructions (thanks Claire) in https://bugs.mageia.org/show_bug.cgi?id=13251#c6 but *only for Python [2]*. Although I have Python 3 installed, $ python3-django-admin.py startproject mysite yielded "bash: python3-django-admin.py: command not found". If someone could clarify this, I can try that too. BEFORE: python-django14-1.4.20-1.mga4 Exactly as described, showing the page "It worked! Congratulations on your first Django-powered page." AFTER: python-django14-1.4.21-1.mga4 Same result, so this is OK. I refrain from MGA4-64-OK'ing this until it can be tried with Python 3 also.
CC: (none) => lewyssmith
(In reply to Lewis Smith from comment #5) > Testing MGA4 x64 > > Followed the excellent instructions (thanks Claire) in > https://bugs.mageia.org/show_bug.cgi?id=13251#c6 > but *only for Python [2]*. Although I have Python 3 installed, > $ python3-django-admin.py startproject mysite > yielded "bash: python3-django-admin.py: command not found". If someone could > clarify this, I can try that too. python-django14 in Mageia4 don't have Python3 version, that's all so you can put MGA4-64-OK
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA4-64-OK
LWN reference for CVE-2015-5145: http://lwn.net/Vulnerabilities/652178/ Fedora has issued an advisory for this on July 13: https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162302.html
Works fine on Mageia 5 32-bit.
CC: (none) => shlomifWhiteboard: MGA4TOO has_procedure MGA4-64-OK => MGA4TOO has_procedure MGA4-64-OK MGA5-32-OK
I am going to do MGA5-64 now. Stay tuned.
Works fine on MGA5-64-OK .
Whiteboard: MGA4TOO has_procedure MGA4-64-OK MGA5-32-OK => MGA4TOO has_procedure MGA4-64-OK MGA5-32-OK MGA5-64-OK
Advisory uploaded, validating.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO has_procedure MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO has_procedure MGA4-64-OK MGA5-32-OK MGA5-64-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0293.html
Status: NEW => RESOLVEDResolution: (none) => FIXED